Unpacking the rules around accessing your medical records — and the new laws and technology that are making it easier for patients
By Erin Marie Miller
When Madalyn Knebel, a 31-year-old Detroit resident, attempted to collect her medical records in 2015, she didn’t expect it to be as difficult — or expensive — as it turned out to be. Suffering from an ongoing health condition that was initially misdiagnosed, Knebel says, “I wanted to gather my records to cross-check them against what other doctors had been saying…and find some answers that I wasn’t getting.”
She recalls that a physician she had visited only once attempted to charge her $45 for copies of medical records from that appointment. Knebel says she was underemployed at the time and, because the mounting fees from multiple doctors became too burdensome for her modest budget, she eventually abandoned her efforts altogether.
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), accessing personal health information is relatively uncomplicated in all 50 states. To initiate the process, individuals simply submit a request to their healthcare provider. In most cases, providers are required to deliver the records within 30 calendar days of the request. While psychotherapy notes and information compiled in reasonable anticipation of use in a legal or administrative action or proceeding are specifically excluded from a patient’s right of access, most other information related to a patient’s health and medical billing should be accessible.
Although the federal government encourages physicians to supply copies of medical records to patients at no charge, the U.S. Department of Health and Human Services clarifies that HIPAA allows doctors and other covered entities to “charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of protected health information in the form and format requested or agreed to by the individual.” Those fees are established annually by each state and can vary extensively.
In Michigan, rates are determined by the Michigan Department of Health and Human Services under the Michigan Medical Records Access Act. In 2019, fees were set at an initial fee of $25.06, $1.25 per page for the first 20 pages, $0.63 per page for pages 21-50, and $0.25 per each additional page beyond that. While patients are not charged the initial fee for their own records, a complete set of medical records can sometimes be thousands of pages depending on their age and overall health — creating a potential financial barrier for those hoping to attain ownership of their full medical history.
Regardless of fees determined by the state, physicians and providers are not always permitted to charge “per page” fees. Under HIPAA, in situations where health records are maintained electronically, physicians and other providers may charge a flat fee of no more than $6.50 for electronic copies of those records, including labor and other costs.
Clearing a Path
In spite of the ways HIPAA’s provisions guarantee that medical records are obtainable by patients, there can still be snares when it comes to accessing them. “One of the things that’s happening right now is this idea of information blocking,” says Jeffrey Segal, a healthcare attorney at Warner Norcross + Judd in Southfield. “The government is now starting to focus on cybersecurity and sharing of electronic health information to improve care, but they’re also focusing on providers that are engaging in what’s called information blocking — where they’re not allowing other providers and patients have access to records.”
As part of the government’s response, Segal says, “There’s a statute called the 21st Century Cures Act, and part of that law carries a provision regarding information blocking.” Signed into law in the final weeks of 2016, the 21st Century Cures Act includes an important provision that legally defines and prohibits information blocking. Under the act, certain entities found to be engaged in information blocking can now be fined up to $1 million per violation. The act also defines interoperability and helps pave the way for electronic medical records to be shared more easily between providers and patients.
The Future is Now
Beyond healthcare and government, the tech industry has also taken notice of the public’s interest in accessing health records. Recently, new apps that allow users to sync their health information have become available for smartphones. In spite of their convenience, consumers should be aware that medical information stored in mobile applications or personal email accounts might not be secure.
Kathryn Marchesini, chief privacy officer at the Office of the National Coordinator for Health Information Technology, says there are important differences between apps offered directly on behalf of healthcare providers, which are bound by HIPAA’s stringent rules, and other third-party apps. “Once a [third-party] app has access to [your health records] and receives that information, the app is not required to follow HIPAA,” she says. “There generally are no requirements that the app has to protect, secure, or keep any of your information private.”
Despite security concerns, medical record access has improved dramatically in the 24 years since HIPAA was enacted. As time goes on, it’s clear that advancements in technology and legislation will continue to carve a path toward a better future where health information and medical records are easier to access and more readily available to everyone, everywhere.
To learn more about accessing your medical records and keeping your health information secure, visit healthIT.gov/access.